RRuna

Sanitize

Text, URL, and HTML sanitization

sanitize cleans untrusted input. It can sanitize plain text, URLs, and HTML. HTML behavior is selected through named policies.

Install

go get github.com/duxweb/runa/sanitize

Text sanitization

value := sanitize.Text("<b>Hello</b>\x00")

Text removes HTML tags and control characters. It is suitable for plain text fields such as nicknames and titles.

URL sanitization

safe := sanitize.URL("https://example.com/a")
blocked := sanitize.URL("javascript:alert(1)")
_ = safe
_ = blocked

Unsafe protocols return an empty string.

HTML policies

plain := sanitize.HTML(input, sanitize.PlainText())
strict := sanitize.HTML(input, sanitize.Strict())
rich := sanitize.HTML(input, sanitize.RichText())
markdown := sanitize.HTML(input, sanitize.Markdown())
  • Strict() is the default safe policy and removes dangerous tags and attributes.
  • RichText() keeps common rich text tags.
  • Markdown() keeps common structures produced by Markdown output, such as code blocks.
  • PlainText() converts to plain text.

Custom policies

sanitize.Register("custom", sanitize.Strict())
value := sanitize.HTML(input, sanitize.Use("custom"))

Common mistakes

Sanitizing only on the frontend

Frontend sanitization improves UX but is not a security boundary. Sanitize or validate on the server too.

Using Text for rich text

Text removes markup. Use HTML policy helpers when users are allowed to submit rich text.

Treating sanitization as authorization

Sanitization cleans input. It does not replace permission checks or business validation.

API quick reference

  • sanitize.Text(input) sanitizes plain text.
  • sanitize.URL(input) sanitizes a URL.
  • sanitize.HTML(input, policies...) sanitizes HTML.
  • sanitize.Register(name, policy) registers a named policy.
  • sanitize.Use(name) uses a named policy.
Edit this page